VLANs and Advanced ACLs - Restrict the inter-VLAN routing

Created: Oct 15, 2018 21:03:01Latest reply: Oct 18, 2018 13:10:15 540 6 0 0
  Rewarded Hi-coins: 0 (problem resolved)
Hi there,

I have the following simple network:



I'm trying to set-up some advanced ACL to control how the VLANs communicate with each other.

My objectives:

  • VLAN 10 can only comunicate with some specifics IPs and ports on VLAN 20;
  • VLAN 20 can NOT communicate with other VLANs;
  • VLAN 30 can communicate with all VLANs;

My ideia is to use advanced ACLs and use traffic policies matching outbound traffic. The problem is, this setup is not working correctly, and VLANs are communicating with each other.

Example config:

ACLs:
acl number 3001
  # This should allow VLAN 10 to communicate with some specifics hosts on VLAN 20  (20.0.0.0/24) and deny the rest.

  rule 5 permit tcp destination 20.0.0.2 0 destination-port eq 8000
  rule 10 permit tcp destination 20.0.0.3 0 destination-port eq 443
  rule 15 permit udp destination 20.0.0.10 0 destination-port eq 53
  rule 20 deny ip destination 20.0.0.0 0.0.0.255
  rule 25 deny ip destination 30.0.0.0 0.0.0.255

acl number 3002
  # This should restrict VLAN 20

  rule 5 deny ip destination 10.0.0.0 0.0.0.255
  rule 10 deny ip destination 30.0.0.0 0.0.0.255
#

Traffic Classifiers:

traffic classifier c_users
  if-match acl 3001
traffic classifier c_servers
  if-match acl 3002
#

Traffic Behavior:

traffic behavior b_permit
permit
#

Traffic Policies:

traffic policy p_users
  classifier c_users behavior b_permit
traffic policy p_servers
  classifier c_servers behavior b_permit
#

VLANs

vlan 10
  name Users
  traffic-policy p_users outbound
vlan 20
  name Servers
  traffic-policy p_servers outbound
vlan 30
  name Management
#

What am I doing wrong?

Thanks!!!


Attachment: You need to log in to download or view. No account?Register
  • x
  • convention:

chenhui  Enthusiast Technician   Created Oct 17, 2018 16:02:20 Helpful(0) Helpful(0)

hello,
you use the traffic policy under vlan with wrond direction...change outbound to inbound

or you can use traffic policy with outbound ,but you should swap the source and destination address in ACL,you can try this.
  • x
  • convention:

Sergio93  Enthusiast Technician   Created Oct 15, 2018 21:11:15 Helpful(1) Helpful(1)

  • x
  • convention:

BEST ANSWER! If you think I earn it!
If this post was useful to you, please click the Helpful button and flag my post as a "BEST ANSWER" so others can benefit. Thank you
Torrent     Created Oct 17, 2018 14:59:58 Helpful(0) Helpful(0)

hello, your request is contradictory, it is not doable.:)

it is fine, you apply the traffic outbound but not inbound, otherwise network will down.

VLAN 10 can only comunicate with some specifics IPs and ports on VLAN 20;
VLAN 20 can NOT communicate with other VLANs;
VLAN 30 can communicate with all VLANs;

VLAN20 cannot communicate with other VLANS, but your first request and third request both need VLAN 20 reply packets . how can it be archived?

maybe you have to double confirm your request.


  • x
  • convention:

intertelecom     Created Oct 17, 2018 21:09:38 Helpful(0) Helpful(0)

This post was last edited by intertelecom at 2018-10-18 00:30.
Posted by Torrent at 2018-10-18 00:30 hello, your request is contradictory, it is not doable.it is fine, you apply the traffic outbound  ...

That's why I'm trying to set oubound-only rules, similar to the way that pfSense works.

VLAN 20 can't initiate a connection to VLAN 10 or 30, but can respond to connections initiated by other VLANs.

I guess I need a stateful ACL in order to accomplish that goal which, of course, is not in the feature scope of a switch.
  • x
  • convention:

Torrent     Created Oct 18, 2018 11:17:31 Helpful(0) Helpful(0)

Posted by intertelecom at 2018-10-17 21:09 Posted by Torrent at 2018-10-17 21:09 hello, your request is contradictory, it is not doable.it is f ...
yes, you are right! If you want a so details control for your network access, suggest to use a stateful device such as firewall
  • x
  • convention:

faysalji  Visitor   Created Oct 18, 2018 13:10:15 Helpful(0) Helpful(0)

Posted by Torrent at 2018-10-17 11:59 hello, your request is contradictory, it is not doable.it is fine, you apply the traffic outbound ...
Thanks for raising red flag, Please suggest then what to do and how to do
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top